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ABSTRACT 

Intended to generate discussion and motivate 
proactive Intervention in matters of Information security, this paper 
defines and discusses some of the key Issues relating to Information 
security on college and university campuses based on in-depth 
interviews conducted at eight selected higher education institutions 
of varying size and composition in the spring of 1989. Findings, 
observations, and suggestions for further research are presented in 
eight areas: (1) Awareness of Information Security; (2) Information 
Security Concerns, including confidentiality, telecommunications, 
microcomputers, business continuity/disaster recovery planning, and 
physical security); (3) Risk Assessment; (4) Information Security 
Policies, including microcomputer policies; (5) Security and Control; 
(6) Information Security Administration; (7) Design, Review, and 
Testing of Information Security: The Role of Auditors and 
Consultants; and (8) Information Security Issues for the 1990s, 
Ircluding networks, end-user computing, and pace of technological 
advances. It in concluded that one of the most difficult challenges 
information technology managers at colleges and universities face 
today is f inching the correct balance between academic freedom and 
essential security measures. A copy of the Interview guide is 
appended as well as a profile of Coopers & Lybrand, the corporate 
sponsor of the s'.udy, and an annotated listing of six reports in the 
Professional Paper Series. (24 additional readings) (BBM) 
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Introduction 



On the evening of November 2, 1988, a computer 
"worm" program attacked the Internet.' The attacl< 
continued for several days and infected as many as 
6.000 machines. Taking advantage of widely known 
flaws In software frequently installed on UNIX systems 
and using a mechanism designed to simplify resource 
sharing in locai area networks, the worm replicated 
unconirollably, eventually overwhelming the process- 
ing capabilities of many infected machines until they 
failed completely. The cost of such an attack is difficult 
to estimate. Thousands of hours of system availability 
time were lost, and tens of thousands of hours were 
required to correct problems created by the attack. The 
intangible effects were possibly even more serious: loss 
of confidence, a retreat from the productive sharing of 
resources, and undeserved tarnishing of reputations, to 
name a few. 

The Internet attack was not the first computer virus 
attack, norwill itbethe last.Thefirstdocumented virus, 
the Creeper, began to spread in 1970 through the 
ARPAnet, a national network linking university, mili- 
tary, and corporate computers. The Creeper was rela- 
tively harmless, its only function being self-replication. 
In a more damaging incident, the Christmas Trojan 



'The "Internet" is the name given to the interconnected networks 
in the NSFNET, a high-speed electronic network created with 
support from the National Science Foundation that is made up of a 
transcontinental backbone of trunk lines c^n:\ecting a number of 
regional networks, each of which connects a dozen or more 
campus-area networks. Information about NSFNET, including 
guidelines on viruses and protecting information resources, is 
available t)y sending an electronic mail message to: 

INFO-SERVEReNNSC.NSF.NET 
containing the text: Request: NSFNET 

Topic: Help 



horse infected the BITNET in December 1 987, appearing 
on five continents and seriously disrupting IBM's global 
electronic mail network for seventy-two hours. ^ The 
v^idely publicized AT&T outage in January 1989 was 
reputedly the result of sabotage. Even the Defense 
Department's computer security has been successfully 
breached on more than one occasion. The FBI esti- 
mates the average computer crime costs $400,000, and 
Coopers & Lybrand estimates annual worldwide losses 
to computer misconduct at $1 5 billion. 

The American Council on Education published a white 
paper in May 1989 entitled Computer Viruses, Legal 
and Policy Issues Facing Colleges and Universities. The 
authors of this paper questioned whether colleges and 
universities were particularly vulnerable to virus at- 
tacks. Their answer: "Probably. Institutions of higher 
learningoften havean unusual concentration of people 
with computerexpertise and the freedom and incentive 
to explore frontier technologies."^ This observation 
applies to all security issues. One of the most difficult 
challenges information technology managers at col- 
leges and universities face is finding the correct balance 
between academic freedom and essential security 
measures. 

A strong motivation for seeking that balance is the 
threat of legal liability. Colleges and universities can be 
held responsible for the irresponsible conduct of their 



^Allon Lundcll, Virui! The Secret World of Computer Invaders th^t 
Breed and Ocsfro/ (Chicago: Contemporary Books, 1989). 

'David R. Johnson, Thomas P. Olson, and David C. Post, A White 
Paper on Computer Viruses: ie^ial and Policy Issues Facing Col- 
leges and Universities (Washington, D.C.: American Council on 
Education and United Educators Insurance, March 1989). 
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students or their employees. In all cases, protection of 
critical information assets is a fundamental responsibil- 
ity of information systems organizations. Absolute pro- 
tection is unrealistic and unnecessary. All security 
mea:tu res impose some inconvenienceand inefficiency 
and involve some overhead. For example, secret pass- 
words need to be remembered, entered to obtain 
access, and controlled by softvc^are v^hich uses system 
resources. Physical access control systems may require 
the user to carry a card and certainly require some sort 
of delay upon entering and sometimes upon exiting. 
The optimal level of protection is that which is minimally 
required and it can be difficult to define. 

The purpose of this paper is to define and discuss some 
of the security issues facing higher education today and 
in the near future. We conducted in-depth interviews at 
eight colleges and universities of varying size and 
composition to gain insight about how they perceive 
and approach their security concerns. We did not 
consider our survey a scientific sample, nor did we 
intend to draw broad conclusions from what is not 
necessarily a representative subset of colleges and 
universities. We expected to discover some interesting 
consistencies, however, and we did. 

If this paper generates discussion and motivates proac- 
tive intervention in matters of information security^ it 
will have accomplished its end. After all, information 
isn't harmful; it's how we use or misuse it that helps or 
hurts us. As Dr. Fred Cohen, who formally defined the 
term "computer virus" while a graduate student at the 
University of Southern California, said when speaking 
about computer viruses (as quoted in a May 9, 1 988, 
Dallas Morning News article): "Ignorance isn't bliss. 
It's suicide." 

Key Findings 

The findings from our campus interviews that we feel 
best frame and introduce the discussion that follows in 
the next section are: 

• Administrators and operations staff are most aware, 
and faculty and students are led<;t aware, of infor- 
mation security issues. 

• The issues affecting computer operations rank in 
order ot importance as follows: 
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— Confidentiality 

— Telecommunications 

— Microcomputers 

— Contingency Planning/Disaster Recovery 

— Physical Security 

• BecoJSe institutions have assessed risk in specific 
areas of computer operations, senior level admin- 
istrators do not believe an overall security risk 
assessment is warranted. 

• Not all institutions have developed security poli- 
cies, and most existing policies do not specifically 
address microcomputer security. 

• Security administration is more often a part-time 
than a dedicated function. 

• Expanded use of networks, end-user computing, 
and the impact of technological advances on 
security are seen as the issues most likely to affect 
information security in the 1990s, with image 
processingand paperless systems identified as the 
technologies most likely to affect computer opera- 
tions in the next decade. 

Although not conclusive, our study identifies some key 
issues relating to information security at colleges and 
universities. Given the rapid pace of technological 
change, the decentralization of computing, and the 
proliferation of computers, networks, and users of 
varying capabilities in the academic setting, informa- 
tion security is an area of significant importance in 
higher education. 

Observations and Concerns 

We were not surprised to discover that the higher 
education executives and managers we interviewed 
were very knowledgeable and aware of information 
security issues. In addition to the issues they identified, 
we would add some concerns based on our analysis of 
the findings of our study, our experience in serving 
institutions of higher learning, and our thoughts about 
the future of computer use on college campuses. 

• We believe that in today's environment security 
risk assessments should be performed regularly to 
onsure the adequacy of information security poli- 
cies and procedures. 
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• We believe that higher education administrators 
should give serious consideration to addressing 
viruses — a relatively new threat — and microcom- 
puter security issues. In our opinion, these issues 
will become more significant, given the Increas- 
ing use of networks on college campuses and the 
increasing number of microcomputer users. 

• Given the size, complexity, and importance of the 
computing environments in institutions of higher 
education today, we believe that colleges and 
universities should provide business continuity/ 
disaster recovery plans to protect themselves from 
worst-case scenarios which will hopefully never 
occur. 

• Although some colleges and universities are hir- 
ing risk managers, we believe that more institu- 
tions should either assign this responsibility to 
existing staff with appropriate training or hire 
outside personnel tocai ry out this function. More- 
over, risk managers' responsibilities should in- 
clude regularly reviewing their institution's infor- 



mation security policies and procedures. These 
policies and procedures may need to be updated 
frequently to accommodate the ever-changing 
computer environment. 

Institutions of higher learning should be alert to pos- 
sible enhancements in their information security poli- 
cies and procedures. After the Internet worm incident, 
Cornell University established an inquiry commission 
to review its security measures. Their report concluded: 
"The university can only encourage reasonable behav- 
ior. It cannot guarantee that university policies and 
procedures will be followed."* 

We conclude this introduction with the same caution- 
ary note. Information security admin istriitors and oth- 
ers in the highereducation community need to reassess 
their information security policies and procedures, 
increase awareness, and otherwise do as much as 
possible to protect themselves from computer viruses 
and otherthreats and adverse situations. In other words, 
they should do as much as they can to "encourage 
reasonable behavior." 



*The Computer Worm, A Report to the Provost of Cornell 
University on an Investigation Conducted by the Commission of 
Preliminary Inquiryinhaca, N.Y.: Cornell University, 19891 Com- 
mission members Ted Eisenberg, David Cries, ]uri. Hartmanis, Oon 
Holcomb, M. Stuart Lynn (Chair), and Thomas Santoro. 

ERJC I ] 
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Summary of Findings 



After identifying what we believed to be the broad 
information security issues relevant to computer pro- 
cessing, we organized those issues into an "interview 
guide" (included in the Appendix) that formed the basis 
for conducting interviews with the participants in our 
study. 

The study was conducted in the spring of 1989 by 
visiting the CdiTipusesofeight colleges and universities. 

• Maricopa Community Colleges 

• Ohio State University 

• Swarthmore College 

• University of Miami 

• University of North Carolina at Greensboro 

• University of Southern California 

• Virginia Polytechnic Institute and State Univcirsity 

• Yale University 

On each of these campuses, we interviewed the 
executive(s) directly responsible for information pro- 
cessing for both academic and administrative comput- 
ing. Where possible, we also interviewed security 
administrators or the highest level of executive man- 
agement involved in computing operations. 

Issues were identified, our study was conducted, and 
findings are herein summarized in eight areas: 

• Awareness of Information Security 

• Information Security Concerns 

• Risk Assessment 

• Information Security Policies 

• Security and Control 

• Information Security Administration 

• Design, Review, and Testing Information 
Security: The Role of Auditors and Consultants 

• Information Security Issues for the 1 990s. 



Within each area, notable findings are presented and 
related issues that would benefit from further research 
are identified. 

1 — Awareness of Information Security 

It is arguable that broad-based awareness of security 
issues is the single most effective means of ensuring 
information security. The effectiveness or most security 
measures depends largely on the behavior of the people 
affected by those measures. For example, an access 
^•^ntrol system based on secret passwords is effective 
o.ily if people do not share their ppsswords. 

If people are to be aware of security issues they need to 
be educated about their institution's security concerns 
and solutions, and they must understand their role in 
making security measures effective. Such information 
helps convince people that security measures are nec - 
essary and valuable, even given the inconveniences 
associated with thern. In addition, it is advisable to 
reinforce instituiinnal security values over time to 
maintain security awareness. 

The colleges and universities we surveyed depend 
largely on definitions of appropriate conduct (codes of 
conduct, bylaws, formal security policies, even federal 
and state laws) toestablish information security respon- 
sibilities and awareness of those responsibilities. In 
most instances, mainframe computer prLileges are 
issued only after potential users sign an authorization 
form containing the conditions under vvhich access is 
granted, in striking contrast, we found a widespread 
absence of even such rudimentary measures in the 
microcomputer environment. For example, only two of 
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the institutions have a code of conduct for nrsicroconn- 
puter use, one of which w^s described as "inadequate" 
by the participant who reported it. Overall, we found 
little evidence of proactive security awareness pro- 
grannS; and participants 'eported no immediate plans 
for increasing awareness of information security issues . 

An institutional commitment to security awareness 
must come from top administration. Administrators 
generally stay informed about pertinent information 
security issues by relying on senior information systems 
professionals and internal and external auditors. Ad- 
ministrators are often reactive to information security 
since they are frequently unable to devote adequate 
time to such issues. For example, corrective actions 
frequently result only after an unfavorable comment in 
the annual audit report, or a highly publicized event 
like a virus attack. 

The Internet worm elicited considerable concern from 
administrators at the colleges and universities we sur- 
veyed. They wanted to know whether their institution 
had been affected, if their institution had been dam- 
aged, and if so, why the attack was not prevented. 

Findings and Observations 

Participants rated (on a scale of low, medium, and high) 
their campus administration's and their user groups' 



Exhibit 1 

information Security Awareness Ranking 

INSTITUTIONS REPORTING 
AWARENESS 





High 


Medium 


Low 


Executive Administration 


3 


3 


2 


Administration 


S 


— 3 




Operations Staff 


5 


— 3 — 




Faculty 


1 


2 


6 


Students 
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awareness of information security issues (including 
software piracy, copyright violations, unauthorized 
access, and physical security). Findings included: 

• Executive administration at institutions which have 
a full-time security administrator and a security 
policy received high ratings for information secu- 
rity awareness, while executive administration at 
institutions without a full-time security adminis- 
trator or a security policy received slightly lower 
to much lower ratings. 

• Administrators and operations staff are most aware, 
and faculty and students are least aware, of infor- 
mation security issues and, similarly, administra- 
tive computing personnel were more aware of 
security issues than those involved in academic 
computing (see Exhibit 1). 

It is not surprisingthatour survey indicated that a formal 
security administration function correlates to a higher 
level of security awareness, since a commitment to 
security administration indicates an institution's ad- 
ministrative priorities regarding security. Furthermore, 
institutions having people responsible for reviewing, 
defining, and enforcing security policies are more likely 
to recognize the need for programs that consciously 
maintain and reinforce security awareness than institu- 
tions that have not assigned such responsibilities. 

Participants discussed how information security aware- 
ness is maintained and reinforced for administrative 
and academic computing activities on their campuses. 
Among the methods used to ma intai n awareness are the 
existence ofasecurity policy, a lab monitoring function, 
meelings, training, agreements, physical security, and 
written guidelines (see Exhibit 2), 

Participants who gave their institutions' administration 
and users higher overall awareness ratings used a 
combination of the following to promote awareness: 

• Security Policy 

• Lab Monitoring Function 

• Physical Security 

• Written Guidelines 

Further Research 

It is reasonable to assume that executives who have a 
higher level of awareness about information security 
issues are better able to plan, implement, and maintain 
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information security systems. In fact, our study indi- 
cates institutions with the most aware administrators 
and user groups have a full-time security administrator 
and a security policy, and use a combination of meth- 
ods to continually promote awareness. 

A more in-depth study of a larger population of institu- 
tions might address: 

• What is the degree of correlation between the 
existence of a full-time security administrator and 
a higher level of awareness about information 
security issues among administration and users? 

• What is the degree of correlation between the 
cxistenceof a security policy and a higher *evel of 
awareness about information security issues 
among administration and users? 

2— Information Security Concerns 

Participants discussed the issues affecting their com- 
puting operations, and collectively ranked them in 
order of importance as follows: 

• Confidentiality 

• Telecommunications 

• Microcomputers 

• Contingency Planning/Disaster Recovery 

• Physical Security 



IniiiiiitfbM 
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The information security concerns of colleges and 
universities are related to their mission to educate. 
Institutions typically attempt to strike a balance be- 
tween academic freedom and information security. 
However, as one participant said, "The need for aca- 
demic freedom does not lessen the need for security." 
Administrators need to protect critical information as- 
sets; students value their privacy; and scholars, under- 
standably, want assurances their research data are 
secured to the degree they desire. 

Confidentiality of sensitive information (such as stu- 
dent financial information) is a particularly complex 
issue, especially in light of legal considerations. The 
Buckiey Amendment places responsibility for exten- 
sive and thorough protection of all private information 
about students and their families squarely on the shoul- 
ders of administrators. The consequences of failure to 
fulfill that responsibility can be very serious, both 
financially and in terms of public perceptions.^ 

Telecommunications technology, particularly in net- 
works, is a source of rapidly emerging security issues. 
While providing the benefits of global access, telecom- 
munications bridges within and between colleges and 
universities provide ample opportunities to compro- 
mise security measures. Interconnecting networks and 
the transport of data across those connections have 
created an environment so complex and active it is 
difficult to address all the security needs adequately. 
The effectiveness of the Internet worm illustrates such 
vulnerability. 

Microcomputers at the institutions we surveyed were 
also a source of security ci»ncern, primarily due to the 
ease of physical access and the threat of virus attack. 
Growing dependence on intelligent workstations and 
the legal liability issues related to storage of confiden- 
tial data on microcomputers demand administration's 
attention. 

Finally, business continuity/disaster recovery planning 
is gaining importance both in the business and academic 
community as dependence on computer systems 
continues to grow in nearly all fields. 



^See Robert F. Curran, "StudoiU Privacy in the Electronic Era: 
Legal Perspectives," CAUSE/EFFECT, Winter 1989, pp. 14-18. 
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Findings and Observations 

Our findings can be related in the five identified areas. 
Confidentiality 

Confidential data are usually associated with adminis- 
trative computing. Student records (demographics, 
grades, and personal and family financial information), 
grant and donor information, and a private institution's 
financial information areexamplesof confidential data. 
We found that: 

• Financial information at public institutions is a 
matter of public record and is considered less 
confidential than at private institutions. 

• The surveyed colleges and universities expressed 
concern about negative publicity regarding secu- 
rity breaches (computer virus, unauthorized dis- 
closure of information and the iike), believing that 
such publicity could affect funding efforts. 

• All the surveyed institutions were aware of issues 
related to the confidentiality of data and had 
security measures that they believe to be appro- 
priate in their circumstances. 

• Participants did not believe that their existing 
confidentiality security measures would be 
changed substantially in the near future. 

Telecommunications 

Colleges and universities use telecornmunicanons 
technology to: (1) support networks for administrative 
computing which involves distributed processing dnd 
remote data access; (2) support academic computing 
networks for research and instruction; and (3) provide 
delivery of information services to the public. 

vV^* found that surveyparticipants are concerned about: 

• Disruptions to computer processing due to dam- 
aged telecommunications 

• The role of telecommunications in the spread of 
viruses 

• Unauthorized access to computer processing via 
telecommunications 



• Disclosure of confidential information via tele- 
communications 

The surveyed institutions believed that a prolonged 
disruption totelecommunicationscould seriously hinder 
administrative and/or academic operations; however, 
they did not have disaster recovery plans in place that 
would ensure restoration of such capabilities within a 
reasonable time frame. Those we interviewed recog- 
nized that telecommunications technology is likely to 
give more users access to their institution's computing 
services, thereby increasing the risk of exposure to 
viruses and unauthorized access to confidential infor- 
mation. 

Microcomputers 

The most significant information security issues related 
to microcomputer use include viruses, local area net- 
works which provide access to sensitive information, 
and legal concerns involving copyright violations. 

We found that most of the surveyed institutions believe 
the information security threat associated with micro- 
computer use is limited because microcomputers 
typically are operated on a stand-alone basis (i.e., they 
are notconnected toa network). According to thestudy 
participants, viruses had infected primarily free-stand- 
ing personal computers. 

Most survey participants considered their administra- 
tive computing systems to be relatively secure from 
viruses that lead to information security risks, which 
they associated more with academic computing. A 
virus in academic computers could interrupt all of an 
institution's academic computing. We found that 
cleaning up viruses is now considered a daily mainte- 
nance procedure. 

Business Continuity/Disaster Recovery Planning 

Most of ihe survey participants who indicated disaster 
recovery plans did not believe that they provide for the 
resumption of computing operations within a reason- 
able time after a major disruption in processing. Several 
participants indicated that executive administration at 
their institutions did not consider additional disaster 
recovery provisions to be warranted. All of the surveyed 
institutions were employing backup procedures ?nd 
had off-site storage facilities. 
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Physical Security 

Physical security issues — including loss of hardware 
and software due to theft or damage; and security 
breaches due to unauthorized use — were not major 
concerns of participants. Most surveyed institutions 
believed that their current physical security measures 
were adequately protecting hardware and software. 

Effect of Security Breaches on Information 
Security Procedures and Controls 

Participants discussed publicized incidents of security 
breaches and viruses; and how those incidents have 
changed their computer processing (mainframe; mini- 
computer; or microcomputer) procedures and con- 
trols. Notable findings in this area included: 

• Publicized incidents of security breaches at other 
institutions have heightened information security 
awareness at most of the surveyed institutions. 
After such publicity; administration reviewed 
controls and procedures; and often concluded 
that security procedures at their institution were 
adequate. 

• None of the surveyed institutions reported secu- 
rity breaches other than a virus infection. 

• After a virus invaded their computers; four of the 
eight institutions changed their security controls 
and procedures. These changes included limiting 
the use of student-owned software; testing all 
software before execution, discouraging sharing 
of diskettes, reinforcing backup procedures, and 
instituting policy changes in the schools' bylaws. 

Further Research 

Use of telecommunications and computer technology 
in higher education is expanding and changing at a 
rapid rate. Additional research in this area would be 
valuable to ascertain: 

• What priority do institutions of higher education 
assign the issues affecting information security? 

• Are the priorities based on awareness, cost, or 
arbitrary decision-making? 

• Are the priorities appropriate? 
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• Do institutions of higher education require the 
same degree of business continuity/disaster re- 
covery planning as for-profit organizations? 

• Is a major disruption to computing services a 
greater threat than is recognized by the surveyed 
institutions? 

• Is the cost of developing and maintaining a disas- 
ter rrrovery plan warranted in the higher educa- 
tion environment? 

Finally, further expansion of computer and telecom- 
munications technology may increase the threat of 
computer viruses. Have institutions of higher educa- 
tion developed the policies and security procedures 
necessary to reduce the risk of spreading a computer 
virus across a network? 

3-~Risk Assessment 

A risk assessment analyzes the existence and adequacy 
of computer controls that ensure: 

• Confidentiality — sensitive data are identified and 
treated in a confidential manner. 

• Integrity — data are kept complete, secure, and 
updated. 

• Availability — data are accessible only to autho- 
rized users, and business continuity procedures 
are in effect for restoration of processing after a 
major interruption of computer processing. 

Findings and Observations 

Participants in our study wore asked if their institution 
had conducted an objective security risk assessment 
within the last two years. While no overall risk assess- 
ments had been conducted, reviews of select areas of 
security had been performed (see Exhibit 3). Five par- 
ticipants indicated security procedures in sensitive 
areas were reviewed periodically by internal and ex- 
ternal auditors. 

Since the administration at most of the surveyed insti- 
tutions had assessed specific areas of computer op- 
erations risks, they did not believe an overall risk 
assessment to be warranted; several participants, how- 
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ever, believed their institutions should establish a busi- 
ness continuity plan. One surveyed institution was in 
the process of conducting a security risl< assessment for 
its administrative computing environment, including a 
review of their multi-campus telecommunications 
operations and the development of a disaster recovery 
plan. 

Another institution in our study group had conducted a 
partial risk assessment. The resultant recommendations 
weredescribed by information systems managementas 
too general and not useful in enhancing the security 
and controls environment. Their experience illustrates 
the importance of defining thegoals of a risk assessment 
before conducting the assessment to help ensure useful 
results. Furthermore, the assessment should include a 
costA)enefit analysis in support of the assessment rec- 
ommendations. Without cost analysis, administrators 
may find it difficult to accurately determine the best 
course of action, resulting in a situation where needed 
security measures are not implemented. 

Security measures can lose effectiveness over time. For 
example, password secrecy is frequently lost over time 
and the likelihood tKat encryption routines can be 
decoded increases with age. Risk needs to be regularly 
reassessed since all changes to a computer environ- 
ment may affect previous conclusions and assess- 
ments. 

As stated, most of the institutions in our sl.'dy had not 
conducted a formal, objective risk assessment in at 
least two years. We found the risk management func- 
tion at these institutions to be concerned primarily with 
insurance matters and protection of physical assets 
rather than with managing the risks associated with 
information security or business continuity. 

Given the rapid change of computer and network 
technology, constant vigilance by those charged with 
protecting critical information assets is necessary. This 
should involve both daily scrutiny as well as periodic 
evaluations of the security measures in place. 

Further Research 

An objective risk assessment can put information secu- 
rity risks in perspective, and position executive admin- 
istration to take a proactive stance. Further research 
could determine whether the climate exists in higher 
education for risk assessment. Is the need perceived? 



Are the full benefits of risk assessment known at the 
proper levels of administration? 

Managing the information security risks associated 
with an institution's computing environment is as im- 
portant as knowing what the risks are. Research in this 
area could disclose: 

• How widespread is the risk management function 
in higher education? 

• Does every institution need a risk management 
function? 

*■ How extensive does a risk management function 
in higher education need to be? 

• Should a security administrator function include 
the risk management duties associated with infor- 
mation security, or should institutions expand an 
existing risk management function? 
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4 — Information Security Policies 

A security policy has at least the following four charac- 
lerislics: (1) security guidelines for all operating envi- 
ronments (mainframe, minicomputer, micrncomputer, 
local area network, and telecommunications), which 
encompass both administrative and academic comput- 
ing; (2) personnel or a metfjod for implementing, 
monitoring, and enforcing the policy; (3) methods for 
reviewing and amending the policy; and (4) methods of 
policy distribution. 

The development and timely maintenance of a com- 
prehensive and effective security policy is a challeng- 
ing task. It is especially difficult if the responsibility for 
developing and implementing a policy is ill defined. 

General Findings and Observations 

A majority of the institutions surveyed did not have a 
stand-alone security policy. Exceptions were those that 
had a formal security administration function. The 
others were relying on codes of conduct and bylaws to 
establish guidelines on information security rules and 
conduct. Federal and state laws were also considered 
applicable to extreme cases, such as vandalism or theft. 
All institutions reported limited non-disclosure policies 
for student biographical and research data. 

Fewer than half of the institutions in our study considered 
their policies current and adequate. Most surveyed 
institutions changed policies as required by law, but 
not necessarily in response to changing technology. 
One MIS director pointed out that the existence of 
security policies does not necessarily create awareness 
or guarantee enforcement. 

We found that while none of the surveyed institutions 
had a security policy that included all of the character- 
istics described above, three institutions reported hav- 
ing security policies which meet most of the above 
characteristics, with the exception that the policies do 
not coverall computing activities or operating environ- 
ments. One i nstitution was in the process of developing 
a policy. 

Some institutions without a separate security policy 
reported that their institutions' bylaws include general 
guidelines for using computer facilities, but they do not 
specifically address information security issues. Par- 
ticipants cited student brochures, departmental opera- 
id 

ERLC 



tions manuals, and the MIS organization monitoring for 
violations as additional methods for communicating 
and administering security procedures. 

Enforcement is a sensitive issue in security administra- 
tion at colleges and universities. The concept of aca- 
demic freedom includes a degree of tolerance for 
experimentation and intellectual adventure, which may 
hinder the goals of security administrators. We found 
that the penalties for information security misconduct 
were often not defined, vaguely stated, or surprisingly 
len ient relative to those in non-campus settings. Though 
a change in this attitude is not necessarily called for, it 
is important to consider the possible implications of 
such an attitude. 

Participants discussed the policies and tools they be- 
lieve should be developed at their institution. Two of 
the three institutions that had security policies indi- 
cated that compliance to their policies could be en- 
hanced by emphasizing awareness rather than pun- 
ishment, and that the policies themselves could be 
enhanced by broadening them to include all comput- 
ing environments. Among the institutions that had not 
developed a security policy, two believed that such a 
policy should be developed. 

Findings and Observations about 
Microcomputer Policies 

Our interviews gathered information about microcom- 
puter policies and procedures at each institution. Ex- 
hibit 4 shows the quantitative results from this section 
of the study. 

Of the institutions Vv'ith a security policy, only one 
addressed microcomputer security specifically, and 
noneaddressed the use of microcomputers for sending 
and receiving executable programs. Some participants 
stated that their institutions' bylaws establish micro- 
computer security guidelines regarding such sensitive 
areas as copyright infringement, access procedures, 
and sharing diskettes. 

Several participants reported difficulty enforcing mi- 
crocomputer policies, with enforcement inconsistent 
and often depending on students policing themselves. 
Most participants reported penalties for violations are 
usually established on a case-by-case basis, primarily 
for violations of educational ethics, vandalism, or theft. 
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None of the surveyed institutions reported policies 
governing the use of student-owned software on insti- 
tution-owned microcomputers, but one institution had 
procedures in this area. We found that microcomputer 
policies do not usually include provisions for connec- 
tion to, and downloading software from, electronic 
bulletin boards, or executing such programs on school- 
owned equipment. 

Most participants in our study reported that physical 
security of micro hardware and legal liability issues 
concerning copyright infringement are major con- 
cerns. Such concerns are addressed through student 
orientation, verbal and posted warnings, copyright 
notices, computer classes, and the institution's bylaws. 

Further Research 

Policies are most effective when they are consistently 
established, maintained, communicated, and moni- 
tored. It is important that policies are updated periodi- 
cally to include evolving technology, and issued in a 
timely manner. A consistent pattern for developing, 
communicating, and monitoring information secuiity 
policies was not evident in the surveyed institutions. 

Additional research could help to gain a perspective on 
the following: 

• Should security policies address the use of micro- 
computers? 

• What procedures are needed to address the nature 
(i.e., binary vs. text) of data transmission? 

• What is the academic user's view of such proce- 
dures? 

• Would such procedures limit or restrict academic 
activities? 

• What are the risks of not establishing such poli- 
cies? 

• Are institutional bylaws the appropriate vehicle to 
communicate information security policies? 
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5 — Security and Control 

Participants were asked to rank the effectiveness ^on a 
scale of 1 (lowest) to 5 (highest) of various campus 
computer groups (see Exhibit 5) for addressing security 
and control as well as other data processing issues (see 
Exhibit 6). The groups included: 

• MIS Steering Committee 

• Strategic Planning Committee 

• Internal Audit Department 

• Internal EDP Audit Function 

• Risk Assessment Committee 

• User Group 

• Quality Assurance Group 

Active participation by ' dministrators and other com- 
puter systems users can contribute significantly to the 
introduction and integration of security concerns dur- 
ing the planning process. Various forums for such 
participation are found at most colleges and universi- 
ties. According to the participants in our study, the 
effectiveness of those forums depends on the organiza- 
tional seniority of the membership. 

Although that relationship is not surprising, the quality 
of input pjven by senior administrators is affected by the 
degree of representation from the information systems 
organization. Quality input is more than the distillation 
and packaging of technical information and analyses. 
It should help to yield politically appropriate and 
fruitful responses to security issues. For example, one 
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surveyed MIS director saw the public furor surrounding 
the Internet attack as an opportunity, because it caused 
v^idespread interest in security issues. 

There is a trend in data administration in v^hich re- 
sponsibility for the secu rity of the data is assigned to the 
user. Doia custodians are assuming visible and active 
roles in deciding v^hat data to secure and the appropri- 
ate protective measures necessary ^'o secure those data. 
The advantage} of this approach is that oversight duties 
and expertise are disseminated and duties are segre- 
gated. 

Findings and Observations 

Participan; ranked as the most effective in addressing 
issues of security and control the following groups: 

• Stra^'^Sic Planning Cjmmittee 

• MIS :.*eering Committee 

• User Groups 

• Internal EDP Audit Function 

These groups were identified as usually being con- 
cerned with security and control for administrative 
computing. Cited as thefactirs which contributed most 
to a group's effectiveness were the administration level 
of group members, the group's budget, and the degree 
of group activity. 

Participants were also interviewed about security and 
control procedures in 'jse and/or under review to 
protect hardware, software, and data. All of the inst'cu- 
tions in ti.e study were using conventional physical 
access restriction methods and all but one used security 
software. 

Some of the surveyed institutions reported using secu- 
rity software packages such as ACF2; RACF, and TOP 
SECRET. Generally, participants considered these 
oackages oS tools for mor»itoring and accountability, 
not for enforcement. Participants reported that security 
violations are recorded and researched (on a more or 
less timc'ly basis). If infractions are judged severe by 
those responsible for reviewing security violation rc- 
portS; appropriate disciplinary actions are pursued. 
Infractions were considered infrequent and not a seri- 
ous threat. 
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6 — Information Security Administration 

As stated earlier, a hu.nan resources commitment to 
security administration indicates administrative priori- 
ties in relation to information security. As defined in our 
study, a security administrator is responsible for: (1) 
developing, coordinating, and monitoring overall se- 
curity procedures and plans; (2) developing, designing, 
and Implementing security standards, policies, and 
procedures; and (3) monitoring compliance to security 
policies on a regular basis. The issues discussed con- 
cerned institutional commitment, both philosophical 
and financial, to security administration. 

Findings and Observations 

The descripiion of the security administrator's function 
at three of the surveyed institutions met the criteria just 
described, but only two institutions had positions dedi- 
cated to security administration (see Cxhibit 7) and they 
concentrated their efforts on administrative comput- 
ing. The other six instituUons did not employ a full-time 
security administrator, but assigned security adminis- 
tration duties to an individual in addition to his/h.er 
other job responsibilities. The small inslitutions and 
those v^ith limited budgets did not have a full-time 
security administrate* 



Participants were interviewed 
about executive administration's 
role in information security. Most 
believed that security issue dis- 
cussions with executive manage- 
ment usually result from a specific 
event, such as a .omputer virus, 
unauthorized access to data, com- 
puter theft, or the like. Participants 
described administrators as reac- 
tive, interested in security issues 
primarily after a serious violation. 
One MIS director described such 
behavior as "event driven." Ex- 
hibit 8 summarizes executive 
administration's role in informa- 
tion security. 



Further Research 

As changing technology places new demands on secu- 
rity systems, executive administration at institutions of 
higher education will need to make informed decisions 
and provide guidance on a broad range of information 
secuniy issues. Further research in information security 
administration could answer: 

• Does an institution's characteristics (i.e., size, 
funding, research orientation) correlate with the 
employment of a full-Mme security administrator? 

• What .are the risks associated with not employing 
a security adniinistrator, given the rate of techno- 
logical change? 

• Should a security administrator also assume the 
role of network administrator? 
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Most of the surveyed institutions 
expected no security budget in- 
creasesor major enhancements to 
security policies in the next year. 
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7 — Design, Review, and Testing of 
Information Security: The Role of 
Auditors and Consultants 

Use of internal and external auditors is a resource 
available to information systems managers and admin- 
istrators interested in addressing security concerns. 
Generally, auditors are perceived as after-the-fact re- 
viewers of the information used to produce reports. 
Their technical expertise is viewed with skepticism; 
their involvement in the day-to-day affairs of the infor- 
mation technology organization is considered bother- 
some. In fact, they may give fresh insight in the analysis 
of security issues.^ Internal auditors may have a broader 
view of the business needs of an institution than in- 
formation systems staff. Similarly, external auditors 
may offer insight into how other institutions approach 
similar problems. 

Findings and Observations 

Participants were asked if auditors (i nternal or external) 
or consultants influenced the design, review, and test- 
ing of information security systems. They indicated 
their interiial auditors generally play a minor role in the 
design, review, and testing of information security 
systems. Only one of the surveyed institutions reported 
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using consultants to design, review, and test informa- 
tion security policies, methods, or procedures. 

Overall, participants expressed a desire for greater 
participation by their internal auditors, and believed 
they could participate more effectively if they were 
provided with proper training in appropriate informa- 
tion security review and testing methodologies. 

Participants at the surveyed institutions reported that as 
part of their audit procedures, external auditors usually 
review internal controls over the administrative com- 
puting activities, but not academic computing. Such 
reviews address security controls, but generally do not 
result in an in-depth analysis. Some participants indi- 
cated they would welcome comprehensive security 
reviews by external auditors. 

Further Research 

Successful institutions typically have internal auditors 
who can conduct EDP audits. In light of this, it would 
be interesting to know: 

• What is the extent of EDP internal audit capability 
in higher education? 

• Is tne level of participation by EDP auditors in the 
design, review,and testing of information security 
systems appropriate? 

• Do EDP internal auditors have the requisite skills 
to participate in the design, review, and testing of 
information security systems? 



^Sec George Carroll. "Strengthening Security through Computer 
Center/EDP Auditing Teamwork/ CAUSE/EFFECT, May 1986, p. 3, 
and Pamela Clem and Mark Olson, "Creating a Working Partner- 
ship with Your EDP Auditor/' CAUSE/EFFECT, September 1 987, pp. 
14-1 a. 
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8— Information Security Issues for the 
1990s 

Two major developmenis will drive information secu- 
rity in the 1990s: the rapid growth of networks and 
network-based technologies (such as distributed data- 
bases) and the equally rapid growth of end-user com- 
putingon mainframes and microcomputers (spurred by 
the development and improvement of fourth-genera- 
tion languages). Other value-added technologies, such 
as image processing, will create additional challenges 
for security administrators, such as access control of 
images. On the other hand, some new technologies 
may offer new tools to help security administrators, 
such as electronic signatures and biometric devices. 

How best to provide for security will be the greatest 
challenge facing administrators, given the continuing 
trend toward dispersal and proliteration of critical data 
and access paths to critical data. Currently, it does not 
seem that information security is likely to keep pace 
with technological change. Security administrators will 
continually need to stay informed. Vendors can re- 
spond to market pressures to develop new security 
products, if they are made aware of how they can best 
help institutions meet their information security needs. 

Findings and Observations 

Participants cited the expanding use of networks and 
end-user computing, as well as the pace of technologi- 
cal advances, as the issues most likely to affect infor- 
mation security in the 1990s. 

Networks 

• There will be a substantial increase in useof inter- 
and intra-campus networks in administrative and 
academic computing. 

• The increased number of users will increase the 
potential for unauthorized access to confidential 
data, particularly in situations where users have 
dial-up access. A major concern is how to secure 
confidential data and maintain network and data 
access control. 

• Since networks will increase distributed process- 
ing and decentralized control, "data custodians" 
will play a major role in defining and controlling 
network security. Several of the participating insti- 



tutions already use the data custodian concept by 
assigning the office(s) using the data the responsi- 
bility of security oversight. 

• Several institutions suggested they will employ a 
network administrator to address the operational 
and security needs of the network. 

• Other security issues related to distributed data- 
bases include wider useof distributed passwords, 
access across networks, and encryption and au- 
thentication across networks. Ven-.->rs may need 
to develop hardware and software to address 
those issues. 
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End-User Computing 

• End users may not know how to protect data, sin -re 
end users are not under centralized control and 
are often untrained and inexperienced in data 
processing and computer use. 

• Participants cited access control, maintaining 
confidentiality, and backup procedures as issues 
which needed to be addressed. 

Pace of Technological Advances 

Given the pace of advances in computer technology, 
participants discussed how they would meet the chal- 
lenge of maintaining adequate security, identifying 
several technologies that are likely to affect their com- 
puter operations in this decade: 

• Image processing will support storage of signa- 
tures, photographs, and documents for access and 
identity verification, student registration, transfer 
and storage of student applications and tran- 
scripts, and personnel records. However, image 
processing may raise significant concerns about 
access control and privacy, since the techniques 
necessary to secu re image processing have not yet 
been fully developed. 

• Paperless systems will be widely used in the 
future. 

• Institutions will move away from transaction pro- 
cessing systems using written authorization, cen- 
trally controlled input and output, and printed 
transaction details. Systems for transferring tran- 
scrip'.s, input and verification of grades, and pro- 



cessing financial aid applications are expected to 
allow for on-line authorization, recording, and 
processing with minimal manual intervention. 

Concerns include: 

— Providing access protection for electronic 
documents and signatures 

— Devising transaction control procedures 

— Improving quality assurance and testing 
methodologies during the development of 
such systems 

• Some participants cited biometrics and artificial 
intelligence as potential authorization technolo- 
gies. Most expected it will be years before institu- 
tions use such technologies. 

Further Rese ^rch 

Additional research could seek answers to the follow- 
ing questions; 

• As institutions of higher education adopt new 
technology and procedures (e.g., increased end- 
user computing, daia custodians, and network- 
ing), will the information security requirements of 
new technologies require a foundation of infor- 
mation security built on today's technological 
base? 

• Are institutions poised to adopt the new technolo- 
giesand minimize any additionalassociated risks? 

• Do institutions have the requisite experience to 
blend the security issues associated with the new 
technologies into (heir existing policies, proce- 
dures, and methodologies? 
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Concluding Observations 



While the sophistication of technology continues to 
increase — allowing for faster, easier access to increased 
amounts of data and capability— the ability to adequately 
control access continues to lag. Our small study revealed 
several security and control issues which need to be 
addressed to reinforce the current framework. The ability 
to progress and keep pace in the 1990s will depend 
heavily on the framework of security and control »nethod- 
ologies developed today. 

Colleges and universities will, in many ways, be in the 
forefront of these exciting developments. Their special 
need to be open and accessible while protecting critical 
or confidential information creates both challenges and 
opportunities. As is so often the case, striking the right 
balance between function and ease of use is difficult, 
especially where security issues are concerned. By their 
nature, institutions of higher education favor ease of use. 
However, their executive administration is faced with a 
complex combination of legal requirements and business 
needs for securing the privacy and integrity of sensitive 
information. 

Scholars and students rigorously defend the rights they 
consider essential to academic freedom. Systems profes- 
sionals, wary of the potentially negative consequences of 
"too much" openness, tend to lean toward greater secu- 
rity. Information technology executives in higher educa- 
tion must weigh all the conflicting factors and opinions 
and find the most suitable mix for their institution. Those 
who succeed will set new standards for their peers in 
corporate and government environments by finding ways 
to share resources productively and cost-effectively while 
protecting the critical data assets of their institutions. 



Cost, as always, is an inescapable consideration. Effective 
security and control and meaningful contingency plan- 
ning measures can be expensive. It may, however, prove 
more expensive in the long term to avoid the costs and 
assume attendant risks. The cost^enefit analysis is less 
bewildering once it is approached like a business deci- 
sion. Security is simply part of the ''cost of doing business." 

So, the challenge is before us. All levels of personnel are 
challenged: 

• Executive administration should maintain a high 
level of awareness of the issues affecting their envi- 
ronments and provide the resources necessary to 
address them. 

• Information technology executives should continue 
to be cognizant of the security and control demands 
of the new technologies. 

• Security administrators should disseminate aware- 
ness and information, spreading responsibility for 
security throughout their organizations. 

• Users should elevate and maintain their level of 
awareness of their security and control responsibili- 
ties. 

We trust our efforts at putting the issues and concerns of 
this important topic into perspective will be of assistance 
in meeting the challenges of the next decade and beyond. 
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Appendix 

Interview Guide Part 1 

1 . what are the information security issues facing institutions today? Describe the institution's computing environ- 
ment, e.g., administration, research, instructionaljncluding organization/reporting responsibilities and security for 
each environment. 

2. What are the information security issues that you face today in each described environment? Some issues toconsider 
may be management, reliability, performance, and logical or physical access as related to; 

• Confidentiality— balance of security, accessibility, and productivity (academic freedom and security) 

• Threats—unauthorized access, viruses, interruption of IS services, theft of information, destruction of 
hardware/software 

• Microcomputers— LANs, stand-alone, on-line, up- and downloadirjg, end-user computing, violations 
of software copyrights (software piracy) 

• Telecommunications— networking (WANs and MANs), dial-up, connectivity 

• Physical security— security and 24-hour availability by students (computer labs) 

• Business contingency planning and disaster recovery 

a. Administrative environment 

List and describe each issue. On a scale of 1-5 with 1 being the highest, rank each issue. 

b. Research environment 

List and describe each issue. Cn a scale of 1-5, with 1 being the highest, rank each issue. 

c. Instructional environment 

List and describe each issue. On a scale of 1-5, with 1 being the highest, rank each issue. 

3. Do you consider information security awareness at this institution to be high, medium, low, or non-existent for each 
of the following: 

• Executive administration 

• Administration 

• Operational staif 

• Teachers 

• Students 

4. Describe the methodologies used at this institution to maintain or reinforce information security awareness and 
spe ty the party responsible for each area. For example: 

• Incorporated into the employee and student orientation programs, system science courses, computer 
lab sessions; signs and procedures displayed in the computer center and computer lab building(s), etc. 
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• Physical security and monitoring procedures over access to information systems environment including 
microcomputer hardware and software for "labs" and administrative purposes. 

5. Describe the institutional security policy as it relates to each computer environment. 

a. How often is it amended for changes to the environment? 

b. When was the last update? 

c. Does the policy address all the security issues discussed in question 2? 

d. Is the policy routinely communicated to all the computer departments? 

e. Describe how it is enforced. 

6. As technology progresses, are the information systems security policies, techniques, and tools keeping pace? 

7. What security policies and tools would you recommend be developed? Describe. 

8. Is executive management routinely informed of information technology security issues? 

a. List the most recent issues brought to their attention. 

b. How were these issues communicated to them? 

• By you 

• The press 

• Internal auditors 

• External auditors 

• Other 

9. Do you consider executive administration proactive or reactive to information security? Describe. 

10. What percentage of information systems budget is allocated for security? 

1 1 . What commitment to information security has executive administration made in the last year? For example: 

• Development of or enhancements to information security policies; additional personnel, e.g., security 
administrator 

• Security software packages, e.g., RACF, ACF2, Tof) Secret 

• Increase in budget for security 

1 J. Discuss the impact that an "information security problem," e.g., computer virus, unauthorized access to academic 
records, etc., would have on the institution. For example: 

• The institution could not attract top students; loss of research grants (both private and government), 
donations, and endowments; enrollment would decline due to poor public image; legal implications 
due to lawsuits, etc. 

• Recruiting and/or retaining staff. 
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Interview Guide Part II 

What steps are being taken to address the information security concerns and issues? 

NOTE: The information security issues and concerns from Part I are the basis for this section. Identify each issue and 
ensure it is addressed in this section, 

1 , Is there an established (formalized) security administration function? 

a. If so, describe the responsibilities, reporting structure, staff complement— part-time or full-time employee, staff 
assistant, professional security personnel, etc. — of this function. 

b. If not, why? 

• Not in the budget 

• Computer environment is too small 

2, Are security and control methodologies either currently being employed or under review to protect assets in each 
computer environment, e.g., hardware, software, and information? 

Methodologies to consider include security software (RACF, ACF2, and TOP SECRET); access control devices, i.e., 
smart cards, proximity cards, swipe cards, key pads, security guard; contingency plan or disaster recovery plan. 

a. Does implementation adhere to policies? 

3, Is computer activity monitored and are breaches of security investigated for each environment? 

a. Is monitoring on a 24-hour, 7-day-a-week basis? 

b. How are bleaches of security that occur after "normal" business hours investigated? 

c. how are security violations dealt with? Are security privileges revoked? 

• If so, for how long? 

• If not, why? 

4, Does the institution have the following: 

• Information systems steering committee 

• Strategic planning committee 

• Internal audit department 

• Internal EH'^ audit function 

• Risk assessment committee 

• User group participation in determining security policies 

• Quality assurance group 

• Other... 

5, Describe the steps that are being taken to raise the security consciousness in each of the following groups at this 
institution. 

• Executive administration 

• Administration 

• Operational staff 

• Teachers 

• Students 



22/INFORMATION SECURITY IN HIGHER EDUCATION 



a. Who is responsible? 

b. Are the means effective? If not, why? 

6, Has an objective assessment of security risk been performed within the last two years? 

7, If so, did the results indicate that improvements should be made? 

a. Where appropriate, describe the nature of the recommended improvements as they may relate to: 

• Policy 

• Procedures 

• Operations 

• Physical access 

• Logical access 

b. What was executive administration's receptivity to the recommendations to improve information security? 

c. Is the implementation of the accepted recommendations proceeding on schedule? If not, why not? 

d. What recommendations were not approved for implementation? What were the reasons for not implementing 
the recommendations? For example: 

• Cost versus benefit was not acceptable 

• Funding was not in budget. 

8, Have the incidences of computer viruses and breaches of security in colleges and universities resulted in changes 
to or increased focus upon information security in the various computer science courses at this institution? 

a. If so, please describe, 

b. If not, why? 

c. What is your opinion of the above? 

9, Have the incidences of computer viruses and breaches* of security in colleges and universities resulted in any changes 
to: 

• Mainframe software development procedures and controls? 

• Microcomputer usage procedures? 

a. If so, please describe. 

b. If not, why? 

10, Are policies and procedures in place that set forth a code of conduct by which all student users of institutional 
microcorr^puters are expected to abide? If not, why not? 

a. Is the code of conduct adequate? 

b. What party is respop'-.ible for enforcing the code and how is enforcement carried out? 

c. How are infractions dealt with? 

d. If a code of conduct or statement of practices is in place: 
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• Does it differentiate between using the same software on a student-owned microcomputer vs. one owned by 
the ini-.titution? 

• Does it properly address the policies and procedures by which software is allowed to be executed on the 
institution's microcomputers? 

• Does it properly address the policies and procedures for utilizing the institution's microcomputers to connect 
to public bulletin boards and downloading software for execution in the institution's computer environments? 

1 1 . Do you consider the information security support that you are receiving from each of the following to be adequate? 

• Executive administration 

• Administration 

• Operational staff 

• Teachers 

• Students 

a. If so, why? 

b. If not, what additional resources would be required? 

1 2. Describe the role that the institution's internal auditors, external auditors, or consultants have in design, review, and 
testing of information security. 

a. What methodologies do they employ to review and test security? For example: 

• Questionnaires 

• Independent audit used to analyze security software, i.e., RACF-DSMON, auditing through CICS, VTAM, 
SMF, etc. 

• Testing of network security, e.g., penetration studies 

b. How effective is each of their roles? 

c. Could the role of the internal auditors, external auditors, or consultants be expanded to improve the 
information security environment? 

d. Describe the role and prioritize the additional functions, services, software, or products that each group 
could provide. 

Interview Guide Part III 

what do you see as the information security issues of the institution in the 1990s? 

NOTE: This section will generate a list of issues and possible solutions. The list should be prioritized using a scale of 
1 to 5 {1 highest), 

A partial list of concerns for the 1 990s is: 

• What impact will enhanced voice, data, and image transmission capabilities have on security? 

• Will security advance at the same pace as technology? 

• Proliferation of microcomputers, end-user computing, LANS, WANS, connectivity 

• Costs of adequate information security 

• Balancing of academic freedom, security, and technology needed to provide the best education in a 
competitive market, i.e., attract the best students; obtain grants, donations, and research funding; for 
public tax based institutions, public access to information 

• Maintain a "proactive rather than a reactive" role in security environment 
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Coopers & Lybrand is among the largest firms of professional consultants and accountants 
in the world. A:, part of an international partnership, the firm is represented in 100 nations 
and has a combined worldwide strength of over 44,000 partners and staff. In its 92-year 
history, Coopers & Lybrand has maintained its leadership position through its ability to 
anticipate and respond to the needs of its clients. The firm's industry-focused approach to 
the delivery of services is a key factor in its success. 

By any objective measure, Coopers & Lybrand is the national ly recognized advisor to higher 
education. The firm serves as the auditor and business advisor to many of the most 
prominent institutions of higher learning in America, Coopers & Lybrand audits hundreds 
of institutions including seven of the eight Ivy League schools and nine of the top ten private 
research universities. Coopers & Lybrand is also the acknowledged leader in higher 
education consulting, offering services clustered around six critical areas; Information 
Technology; Human Resources; Financial Management, Accounting, and Tax; Operations 
and Productivity; F'acilities Management; and Governance, Organization, and Planning. 

Information technology is the engine that directly supports the learning, research, and 
administrative functions of the institution. Rising costs, changing technology, and the 
increasing use and sophistication of software make the effective selection and use of 
computers a key management decision. Coopers & Lybrand has helped colleges and 
universities improve data and systems security, as well as design and successfully 
implementa wide varietyof management information systems, and has worked with clients 
at every point in a systems life cycle. Information technology services include: 

Information Technology Audit and Security Services 
Technology Planning 
Decision Support Systems 
Application RpcKliness Assessments 
Computer Security 

Systems Planning and Implementation 
Database Development 
Networks and Communications 
Intellectual Property 
Chargeback/Cost Accounting 
Systems Integration 

Coopers & Lybrand has assembled a team of experienced information technology 
consultants who work with colleges and universities on a full-time basis. The firm also has 
consultants who are specialists in enabling technologies such as: 

• Database Management Systems (DBMS) 

• Fourth-Generation Languages (4GLs) 

• Expert Systems 

• Voice, Data, and Image Networks 

• Image Processing 

• Electronic Data Interchange (EDI) 
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These consultants bring a thorough understanding of the full systems development life Recent Activity 

cycle, including planning, requirements definition, design, development, testing, 
conversion, and implementation. The firm has reviewed and improved business processes 
and technology for registrars, bursars, financial aid directors, admissions officers, academic 
advisors, and alumni associations. 

Listed below^ are some examples of hov/ Coopers & Lybrand has helped its higher education 
clients improve their use of technology. 

4 Provided functional and technical assistance for the implementation 
of administrative packages 

4 Designed and built comprehensive endowment fund management 
systems 

4 Implemented financial decision support systems to improve budget 
management and planning 

4 Conducted numerous operations reviews of college information 
systems departments to help identify opportunities for improving 
information management 

4 Developed comprehensive administrative systems business models 
to help colleges and universities select and implement applications 
software 

4 Assessed the information technology organization and skills mix 

4 Provided information security risk assessment and control review 

Coopers & Lybrand's consulting teams have broad experience in planning for and 
implementing complex administrative systems. The company's proven methodology for 
systems development and implementation (SUMMIT"* ) can be specifically tailored to meet 
its college and university clients' needs. Coopers & Lybrand offers its clients the right 
combination of higher education, technical, and project management skills needed to get 
the job done. 

Coopers & Lybrand, a CAUSb i. -member since 1 983, has participated annually at the CAUSE 
national conference through vendor presentations and refreshment break sponsorships, and 
funded the publication o/ CAUSE Professional Paper #5, Information Security in Higher 
Education. 

Contacts: 

Clark L. Bernard 
joel W. Meyerson 
John H. Duffy 
Sean C. Rush 
john Cassella 
at 

Coo(:ers & Lybrand 
One ^ost Office Square 
Boston, Massachusetts 02109 
(617)574-5000 
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Albert Decker 
Rayrriond Elliott 
at 

Coopers & Lybrand 
1251 Avenue of the Americas 
New York, New York 10020 
(212) 536-2000 
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^ Single System Image: 

An Information Systems Strategy 

by Robert C. Hetericic, Jr. 

A discussion of the strategic planning for information systems, 
incorporating a description of the components needed to purvey 
an institution's information resources as though they were deliv- 
ered from a single, integrated system. The 'single system imago,'' 
the vehicle through which tactical questions are resolved, com- 
prises electronic ma il, database access, print arxi plct jorvice, and 
archival storage for all users. Funded by Digital Equipment 
Corporation. 22 pages. 1980. $8 members, $16 non-mcmbcrs. 



^2 Ir^formation Technology— Can It All Fit? 

Proceedings of the Current Issues Forum at the 
1988 CAUSE National Conference 

Based on the proceedings of the Current Issues Forum at the 1 988 
CAUSE National Conference in Nashville, Tennessee, where 
three panelistsdiscussed information technology managementon 
campus. Paige Mulhollan, Wright State University President, 
advocated a highly centralized management style; Robert Scott, 
Vice President for Finance at Harvard University, discussed the 
factors that led to a decentralized approach at Harvard; arxJ 
Thomas W. West, Assistant Vice Chancellor for Computing arxi 
Communications Resources at The California State University 
System, explored alternative models for managing information 
resources. Funded by IBM Corporation. 17 pages. 1989* $8 
members, $16 non-members. 



An Information Technology Manager^s Guide to 
Campus Phonti Operations 
by Gene 7. Sherron 

A guide for managers of information technology faced with the 
challenge of integrating voice communications into t^K' informa- 
tion technology infra5tructu'*e across campus. Taking a ''primer'' 
approach, this paf^er outlines the major issues in telecommunica- 
tions facing campuses today, a quick look at the history of 
deregulation and effects of divestiture, a description of the basic 
components of the phone business — switch options, financing 
considerations, management systems, telephones, wiring, and 
ISDN — and a brief consideration of some of the management 
issues of a telecommunications organization. Funded oy North- 
ern Telecom. 26 pages. 1 990. $8 members, $16 non-nwmbcr$. 



The Chief Information Officer 
in Higher Education 

by James I. Penrod, Michael C. Dolence, 
and Judith V. Douglas 

An overview of the chief information offirx?r concept in higher 
education, including the results of a survey conducted by the 
authors in 1989. This paper examines the literature that has 
developed as increasing numbers of organizations in business, 
health care, and higher education have embraced the concept of 
managing information as a resource and addressed the need for a 
senior-level policy officer with responsibility for information 
technology throughout the enterprise. The authors provide an 
extensive literature review, including a discussion of industry 
surveys, and a bibliography of over 1 40 books and articles. Their 
survey results are included in the appendix. Funded by Deloitte& 
Touche. 42 pages. 1990. $8 members, $16 non-members. 



^5 i^f^^^l*^^ Security in Higher Education 
by RaytDond Elliott, Michael Young, Vincent 
Collins, David Frawley, and M. Lewis Temares 

An examination of some of the key issues relating to information 
security on college and university campuses, based on in>deplh 
interviews conducted by the authors at selected higher education 
institutions. Findings and observations are presented about infor- 
mation security awareness, policies, administration, control, is- 
sues and concerns, as well as risk assessment and the role of 
auditors and consultants in information security design, review, 
and testing. Funded by Coopers & Lybrand. 26 pages. 1991. $8 
members, $16 non-members. 



Open Access : A User Information System 
by Bernard W. Gleason 

A discussion of tfie need to provide open access to all necessary 
campus information resources to administrators, faculty, and 
students. Based on his experiencx?s ?t Boston College, the author 
offers design concepts and principles for a user information 
system providing open and easy access to informatfo.i. In ad(Ji- 
tion, the paper addresses many of the organizational, managerial, 
social, and political forces and issues that are consequences of an 
open acci^ss strategy on campus. Funded by AppleComputer, Inc. 
24 oages. 1991. $6 members, $16 non rncmlx^rs. 
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OF MANAGING CHANGE 



CAUSE is a nonprofit professional association whoso mission is to promote effective 
planning, managemo.it, develo[)ment, and evaluation of computing and information 
technologies in colleges and universities, and to help individual nember representatives 
develop as professionals in the fiolfi of infonnation technology managem'-'nt in highc^r 
education. Incorporated in 1 97 1 , ihe association serves its membership of more than 900 
campuses and 2,500 individuals from the CAUSE national headquarters at Suite 302E, 
4840 Pearl East Circle, Boulder, Colorado 8')301. hor further information phone {.'i03) 
449-4430 or send electronic mail to: info@CAUSt.colorado.edu. 

CAUSE is an Equai Opportunity Employer and is dedicatrd to a policy that fosters mutual 
respect and equality for all persons. The association wiii take affirmative action to ensure 
that it does not discriminate on the basis of age, color, religion, creed, disability, marital 
status, veteran status, national origin, race, or so and actively encourages members and 
other participants in CAUSE-relaled activities to resp^^ct tfiis policy. 
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